System Rule: Client Exploit - Mass Mailing Worm

The rule System Rule: Client Exploit - Mass Mailing Worm, fires quite often in my setup of mars, and I havent really been able to setup any trends, as we have a large base of legit mail traffic. Im worried I will filter out legit mail IP's by setting up ACL's, and on the flip side I dont want miss any events if I fine tune to not alert and log to db only.

Does anybody have a similar scencario? If so how do you go about baselining the mail traffic, and/or tweaking the rule to benefit your environment (20 count in this rule seems kind of low to me..?)

Replies

This event is mostly generated by the DENY ACL events reported from firewalls. You have to make 'Drop Rules' in MARS to tune false positives or should I say 'don't care' events.

For example at one site we had a customer guest zone (wireless), it generated the most amount of such events, so had to make a drop rule for that zone after making sure the ACL was as specific as possible. After all do I care if a contractor forgot to close his p2p software? (as long as its blocked).

In the environment I am in (and I am guessing most people are in) we get legitimate email from outside mail servers that fires this rule often. We are a mid to large size company so we get alot of mail flow. The problem is that the legitimate mail comes in from all over especially to our marketing department and varies week to week (sometimes day to day), I am sure that this is common with other users setups ( no? anybody have the same environment? ).

I am just curious as to how to "tune" this rule to still be alert for mass mailing, but rule out any normal traffic.

Is setting the count to 50 to high? Would setting the rule to only check for Internal IP's be an accurate way to look for mass mailing worms?

Are there common destinations for your email traffic? I have been able to successfully tune out legit mail traffic while catching compromised email accounts sending spam by copying the rule and adjusting the threshold. All of our mail goes through our mail encryption servers and gets sent to relays from there so these two servers are the only sources I have to focus on. I also made a custom hourly report that has these two servers as the source. Now when the copied rule is triggered I can look at the report and get a pretty detailed graph in near real time that shows how big a spike we are seeing in SMTP and make a judgment on whether it's spam activity or not.